diff --git a/services/maintenance/image.yaml b/services/maintenance/image.yaml index fd28d90..39f4be7 100644 --- a/services/maintenance/image.yaml +++ b/services/maintenance/image.yaml @@ -21,3 +21,26 @@ spec: policy: semver: range: ">=0.1.0-0" +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImageRepository +metadata: + name: soteria + namespace: maintenance +spec: + image: registry.bstein.dev/infra/soteria + interval: 1m0s + secretRef: + name: harbor-regcred +--- +apiVersion: image.toolkit.fluxcd.io/v1beta2 +kind: ImagePolicy +metadata: + name: soteria + namespace: maintenance +spec: + imageRepositoryRef: + name: soteria + policy: + semver: + range: ">=0.1.0-0" diff --git a/services/maintenance/kustomization.yaml b/services/maintenance/kustomization.yaml index 9a74084..6ec832b 100644 --- a/services/maintenance/kustomization.yaml +++ b/services/maintenance/kustomization.yaml @@ -5,6 +5,7 @@ resources: - namespace.yaml - image.yaml - secretproviderclass.yaml + - soteria-configmap.yaml - vault-serviceaccount.yaml - vault-sync-deployment.yaml - ariadne-serviceaccount.yaml @@ -13,9 +14,12 @@ resources: - k3s-traefik-cleanup-rbac.yaml - node-nofile-serviceaccount.yaml - pod-cleaner-rbac.yaml + - soteria-serviceaccount.yaml + - soteria-rbac.yaml - ariadne-deployment.yaml - oneoffs/ariadne-migrate-job.yaml - ariadne-service.yaml + - soteria-deployment.yaml - disable-k3s-traefik-daemonset.yaml - oneoffs/k3s-traefik-cleanup-job.yaml - node-nofile-daemonset.yaml @@ -24,9 +28,12 @@ resources: - node-image-sweeper-serviceaccount.yaml - node-image-sweeper-daemonset.yaml - image-sweeper-cronjob.yaml + - soteria-service.yaml images: - name: registry.bstein.dev/bstein/ariadne newTag: 0.1.0-86 # {"$imagepolicy": "maintenance:ariadne:tag"} + - name: registry.bstein.dev/infra/soteria + newTag: 0.1.0-0 # {"$imagepolicy": "maintenance:soteria:tag"} configMapGenerator: - name: disable-k3s-traefik-script namespace: maintenance diff --git a/services/maintenance/secretproviderclass.yaml b/services/maintenance/secretproviderclass.yaml index 85df2af..cb61e46 100644 --- a/services/maintenance/secretproviderclass.yaml +++ b/services/maintenance/secretproviderclass.yaml @@ -13,9 +13,27 @@ spec: - objectName: "harbor-pull__dockerconfigjson" secretPath: "kv/data/atlas/shared/harbor-pull" secretKey: "dockerconfigjson" + - objectName: "soteria_restic__AWS_ACCESS_KEY_ID" + secretPath: "kv/data/atlas/maintenance/soteria-restic" + secretKey: "AWS_ACCESS_KEY_ID" + - objectName: "soteria_restic__AWS_SECRET_ACCESS_KEY" + secretPath: "kv/data/atlas/maintenance/soteria-restic" + secretKey: "AWS_SECRET_ACCESS_KEY" + - objectName: "soteria_restic__RESTIC_PASSWORD" + secretPath: "kv/data/atlas/maintenance/soteria-restic" + secretKey: "RESTIC_PASSWORD" secretObjects: - secretName: harbor-regcred type: kubernetes.io/dockerconfigjson data: - objectName: harbor-pull__dockerconfigjson key: .dockerconfigjson + - secretName: soteria-restic + type: Opaque + data: + - objectName: soteria_restic__AWS_ACCESS_KEY_ID + key: AWS_ACCESS_KEY_ID + - objectName: soteria_restic__AWS_SECRET_ACCESS_KEY + key: AWS_SECRET_ACCESS_KEY + - objectName: soteria_restic__RESTIC_PASSWORD + key: RESTIC_PASSWORD diff --git a/services/maintenance/soteria-configmap.yaml b/services/maintenance/soteria-configmap.yaml new file mode 100644 index 0000000..34ba7ca --- /dev/null +++ b/services/maintenance/soteria-configmap.yaml @@ -0,0 +1,12 @@ +# services/maintenance/soteria-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: soteria + namespace: maintenance +data: + SOTERIA_RESTIC_REPOSITORY: "s3:s3.us-west-004.backblazeb2.com/atlas-soteria" + SOTERIA_S3_ENDPOINT: "s3.us-west-004.backblazeb2.com" + SOTERIA_S3_REGION: "us-west-004" + SOTERIA_RESTIC_BACKUP_ARGS: "" + SOTERIA_RESTIC_FORGET_ARGS: "" diff --git a/services/maintenance/soteria-deployment.yaml b/services/maintenance/soteria-deployment.yaml new file mode 100644 index 0000000..7c4201e --- /dev/null +++ b/services/maintenance/soteria-deployment.yaml @@ -0,0 +1,62 @@ +# services/maintenance/soteria-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: soteria + namespace: maintenance +spec: + replicas: 1 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: soteria + template: + metadata: + labels: + app: soteria + spec: + serviceAccountName: soteria + containers: + - name: soteria + image: registry.bstein.dev/infra/soteria:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8080 + envFrom: + - configMapRef: + name: soteria + env: + - name: SOTERIA_SECRET_NAMESPACE + value: "maintenance" + - name: SOTERIA_RESTIC_SECRET_NAME + value: "soteria-restic" + - name: SOTERIA_JOB_TTL_SECONDS + value: "86400" + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 2 + readinessProbe: + httpGet: + path: /readyz + port: http + initialDelaySeconds: 2 + periodSeconds: 5 + timeoutSeconds: 2 + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 65532 + capabilities: + drop: ["ALL"] diff --git a/services/maintenance/soteria-rbac.yaml b/services/maintenance/soteria-rbac.yaml new file mode 100644 index 0000000..66e2d13 --- /dev/null +++ b/services/maintenance/soteria-rbac.yaml @@ -0,0 +1,25 @@ +# services/maintenance/soteria-rbac.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: soteria +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "create", "update", "delete"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: soteria +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: soteria +subjects: + - kind: ServiceAccount + name: soteria + namespace: maintenance diff --git a/services/maintenance/soteria-service.yaml b/services/maintenance/soteria-service.yaml new file mode 100644 index 0000000..85bfcca --- /dev/null +++ b/services/maintenance/soteria-service.yaml @@ -0,0 +1,14 @@ +# services/maintenance/soteria-service.yaml +apiVersion: v1 +kind: Service +metadata: + name: soteria + namespace: maintenance +spec: + type: ClusterIP + selector: + app: soteria + ports: + - name: http + port: 80 + targetPort: http diff --git a/services/maintenance/soteria-serviceaccount.yaml b/services/maintenance/soteria-serviceaccount.yaml new file mode 100644 index 0000000..88e8054 --- /dev/null +++ b/services/maintenance/soteria-serviceaccount.yaml @@ -0,0 +1,8 @@ +# services/maintenance/soteria-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: soteria + namespace: maintenance +imagePullSecrets: + - name: harbor-regcred diff --git a/services/vault/scripts/vault_k8s_auth_configure.sh b/services/vault/scripts/vault_k8s_auth_configure.sh index 0b96368..0e413b7 100644 --- a/services/vault/scripts/vault_k8s_auth_configure.sh +++ b/services/vault/scripts/vault_k8s_auth_configure.sh @@ -247,7 +247,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \ write_policy_and_role "health" "health" "health-vault-sync" \ "health/*" "" write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \ - "maintenance/ariadne-db portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull" "" + "maintenance/ariadne-db maintenance/soteria-restic portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull" "" write_policy_and_role "finance" "finance" "finance-vault" \ "finance/* shared/postmark-relay" "" write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \